Subscribe

Lenovo's ghastly malware mistake

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 26 Feb 2015
Lenovo's response to the incident follows the standard model for shocking and unpleasant revelations.
Lenovo's response to the incident follows the standard model for shocking and unpleasant revelations.

Lenovo was recently caught bundling malware on laptops. What followed is a predictable tale of recrimination, hurried PR spin, and public fallout. All of it was predictable, and all of it was avoidable.

Quick recap: in January, a user noticed his Lenovo laptop had a piece of adware installed as part of the Lenovo out-of-box configuration. Dubbed "Superfish", the adware injects ads into Web browsers without consent. He complained, Lenovo ignored him, and a month later security researchers discovered some critical vulnerabilities in the adware in question, promptly upgrading its designation to malware. The industry immediately blew up, with Lenovo facing opprobrium from all sides, including analysts, users, and AV vendors.

After a series of increasingly unconvincing efforts to downplay the severity of the incident, Lenovo finally apologised for the mistakes, with CTO Peter Hortensius promising to "fix the problem and restore faith in Lenovo".

Having dug the hole, then dug it deeper, Lenovo has some work to do. Here's what you need to know about the Superfish malware, and what you should demand of Lenovo in the wake of the incident.

Superfishy

Superfish is worth caring about not just because it's adware, but because it exposes users to serious security risks.

Superfish calls itself a "visual search" agent, claiming to help customers shop online. What that means is it intercepts your Web browsing, even over secure connections, and injects ads for products which match its analysis of the pages you're visiting.

Every part of that is questionable. In reverse order: analysing your browsing without consent is an invasion of privacy. Injecting ads is highly obnoxious, and actively disrupts other Web advertisers - Google, for example, takes an understandably dim view of third parties tampering with its search results.

And while intercepting Web browsing is bad, intercepting secure sessions is unforgivable.

That last part is where things got really messy. In order to hijack SSL connections, Superfish installed a root CA certificate in victim PCs, so it could operate a man-in-the-middle (MITM) attack without the users getting certificate warnings from their Web browsers. That's shocking enough - it allows Superfish to intercept logins, banking sessions, connections to corporate Web resources, and so on. But the company behind the software, Komodia, didn't just install a root CA cert, it also bundled the corresponding private key into its malware. It took scant hours for a security researcher to extract the password for that key ("komodia" - in case the company hadn't committed enough beginner mistakes already, it used such an obvious password too), which means any hacker could create certificates and conduct MITM attacks on Superfish victims.

A further twist in the tale is that efforts to remove Superfish will be complicated by its inclusion in the system recovery tools provided by Lenovo - any user who removes Superfish then reinstalls Windows will have to remember to remove it again, because it will have been silently reinstalled.

Persistence is one of the hallmarks of malware, and while this may be unintended by Lenovo, it is unlikely Komodia is unaware.

And, just to wrap up the background to this sorry tale, it turns out Komodia makes a whole bunch of other products capable of conducting SSL MITM attacks, like parental control software and corporate Web filtering, all of which are now being gleefully dissected by security researchers and hackers. If you have any Komodia products, or any products which license Komodia components, your users may be vulnerable to these attacks.

Why, Lenovo? Why?

Why did Lenovo bundle such despicable adware in the first place? The vendor's feeble protestations that it had only the wellbeing of its customers in mind is absurd, as are its claims not to have known how it behaved. Its simultaneous labelling of the issue as "severe" and dismissal of the infection as "no risk" doesn't even deserve comment.

The speed at which bad news goes viral means there is only one response that works now: own up, apologise, and remediate.

No, we know why Lenovo was bundling adware: because it was getting 30 pieces of silver for every customer it threw under the privacy bus, and that is all there is to it.

This, unfortunately, is simply how the economics of PC sales work, particularly in notebooks. The margins are so lousy and the pricing so aggressive that vendors have to sneak revenue in the back door, and they do it by cramming their systems with bloatware - software which serves almost no purpose other than to bring in sponsorship revenue and thereby contribute a little extra to the bruised and battered bottom line. Do you really need third-party music players? CD writers? Crippled anti-virus? The bundled software in the OS usually does a perfectly adequate job of those tasks.

Faustian bargains

Speaking as someone who has on two separate recent occasions had the dubious pleasure of de-crufting Lenovo laptops for family members, I can relate all too well to the hours of laborious looking up each piece of bloatware, checking what it does, uninstalling it, rebooting, and repeating. That's a couple of evenings I won't be getting back, but I put up with it because I grok the economics: the crap is there to reduce the sticker price, and I like the sticker price. The choice was mine - if I wanted an expensive but bloatware-free PC, I'd have headed to an iStore.

But that bargain is struck on the understanding that the junk is annoying but relatively harmless. When it crosses the line into outright malware, then there is a problem.

Stages of grief

Lenovo's response to the incident follows the standard model for shocking and unpleasant revelations, known in psychology circles as the K"ubler-Ross model, and in PR circles as Crisis Management 101.

ITWeb Security Summit 2015

A showcase for infosec thought leaders, featuring interactive workshops that provide intensive information for company executives, ITWeb Security Summit 2015 takes place from 26 to 28 May, at Vodacom World, Midrand. Book today!

First comes denial (No we don't! Oh, we do, but it's not bad! Oh, it is, but it's not THAT bad! Oh, it is, but...oh). Next is anger (How dare these security researchers attack us? How dare Komodia make such a dreadful mistake?). Then bargaining (We've put out a removal tool for this thing and we stopped doing it, now please forgive us). Then depression (Everyone else is making the same mistake). And lastly, acceptance (We messed up; we're moving on).

In PR terms, the goal here is to minimise the impact on the brand, because doing so might prevent the loss of sales, avoid a shock to the stock price, and avert class action lawsuits. In the modern world, it tends to make things worse - the Streisand Effect in today's Internet means every attempt to spin a crisis as less severe than it is only draws attention to the disaster faster. The speed at which bad news goes viral means there is only one response that works now: own up, apologise, and remediate. No prevarication, no negotiating. Take it on the chin, and then get up again.

It's not just consumer backlash at issue. It was Microsoft which took a proactive lead by quickly adding signatures to its anti-virus tools to identify and remove Superfish: other vendors followed suit. Even the US government issued an advisory against Superfish. That left Lenovo in the unenviable position of having its default configuration trigger virus warnings; not something which would inspire consumer confidence. In other words, crisis management was only just getting started and the industry had already passed its verdict.

Was it really Lenovo's fault?

Lenovo, having taken money to preload the Superfish adware, claimed to be shocked - shocked! - that it was not the benign browser hijacker it had first thought. The blame was Superfish's, surely.

No, the blame here is squarely Lenovo's. In the first place, every OEM takes responsibility to vet its third-party bundles to make sure they work as they should, don't conflict with each other, and don't too obviously degrade the user experience. Either Lenovo failed dismally at its primary responsibility in this regard, or it knew and turned a blind eye.

This is the firm which inherited IBM's manufacturing disciplines - was there really no engineer who looked at what Superfish was doing and raised a red flag? We may never know the answer to that, but it is unlikely, Hanlon's razor notwithstanding. If they did, then someone - possibly someone as high as Hortensius - made the decision to go ahead anyway. That someone should never work in the industry again.

The reason why they should be forever blackballed is that we saw a virtually identical scenario play out almost exactly a decade ago. Lenovo clearly wasn't paying attention.

Lessons from Sony

Lenovo's Superfish debacle, described as "the biggest tech-customer betrayal in a decade", is eerily similar to its historical precedent: Sony's "XCP" malware. In 2005, Sony BMG, desperate to combat music piracy, placed rootkit malware on its audio CDs. When inserted into a PC, the software surreptitiously installed itself, scoured the victim PC for music and then reported its findings to a central server operated by Sony.

Egregious privacy violation aside, it was further compounded by the revelation that other malicious software could leverage vulnerabilities introduced by Sony's rootkit. (Does that sound familiar at all? Hello, Superfish root certificate.)

Having gone through the same pattern of denial, followed by claims of innocent intent, then claims that it wasn't as bad as reported, Sony eventually conducted a mass product recall of the affected CDs and published a removal tool. Said tool actually made the victims more vulnerable for a while - an updated version was later provided.

Sony didn't suffer much, but the industry did. A momentary stock-price blip, perhaps, but no one went to jail. Class action suits were filed, but to little effect.

But, the music industry suffered a solid reversal - users who might have been on Sony's side against piracy were horrified at the incident, and it set back perceptions many years. To this day there is a lingering, arguably paranoid, contingent that still boycotts Sony products - a boycott that was fuelled less by the malware incident and more by the company's attitude. Thomas Hesse, Sony BMG president at the time, infamously declared: "Most people don't even know what a rootkit is, so why should they care about it?" It turned out people really did care.

Lessons for Lenovo

Lenovo's customers care too. And they will continue to care, not about the Superfish incident itself, but about how the company comports itself through the crisis. The cynical cycle of deny/downplay/excuse/apologise is not doing the firm any favours. Far better to apologise, and take immediate drastic measures to remove the offending software not just from users' PCs, but from the recovery partitions too. Then make lemonade. Review and publish the guidelines for how third-party software is selected, reviewed, and approved. Publish a comprehensive list of all bloatware installed on systems, with details of its provenance, its purpose, and how to remove it.

Samsung, you'll note, was recently spanked for the revelation not just that its smart TVs record private conversations, but transmit them to an unknown third party. The message is clear: customers want suppliers to come clean about their partners, and the nature of those partnerships. Lenovo had an opportunity to do just that, and turn this bitter experience into something positive. It has largely wasted that opportunity by trying to spin its way out of the mire, but despite the lost opportunity, it should still take positive, decisive action, or suffer the same lingering disapproval that has haunted Sony for over a decade.

Hortensius's open letter apologising, and promising remediation, is a start on that journey, but falls short of the full transparency I'd like to see. We can demand more, but we need to understand that if the vendors clean up their act, we will pay more for cleaner technology. Faustian bargains are attractive because they appeal to our greed; there are lessons for all of us in this incident.

Share